Back to skill

Security audit

Asana

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Asana integration skill that discloses its network access, managed OAuth/API-key use, and Asana write capabilities.

Install only if you trust Maton to broker your Asana OAuth access. Confirm every write action before it runs, especially deletes and webhook creation, and avoid using webhook targets that point to localhost, private networks, or internal services unless you intentionally want Asana to contact them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The webhook section notes that Asana verifies the provided target URL, which causes an outbound request to whatever URL the user supplies. Without a strong user-facing warning and explicit confirmation workflow, an agent could be induced to trigger unexpected network access to third-party or internal endpoints, creating SSRF-like risk and information disclosure about reachable services.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.